REQU-07

Does operating your solution require the institution to operate a physical or virtual appliance in their own environment or to provide inbound firewall exceptions to allow your employees to remotely administer systems in the institution's environment?

Explanation

This question is asking whether your solution requires the institution to: 1. Install and maintain any physical hardware or virtual appliances within their network environment, or 2. Configure their firewalls to allow your employees to remotely access their systems for administration purposes. This is being asked in a security assessment because both scenarios introduce potential security risks: - Physical or virtual appliances that must be installed in the institution's environment create additional attack surfaces that the institution must secure and maintain. These appliances may require patching, updates, and ongoing security management. - Inbound firewall exceptions create deliberate openings in the institution's network perimeter that could potentially be exploited if not properly secured. Remote administration access is particularly sensitive as it often requires elevated privileges. The question helps the institution understand what additional security measures they might need to implement if they adopt your solution, and what potential risks they need to consider in their overall security posture. When answering this question, be clear and specific about any requirements your solution has. If your solution is entirely cloud-based with no on-premises components, make that clear. If there are on-premises components or remote access requirements, explain what they are, why they're necessary, and what security controls are in place to mitigate risks.

Example Responses

Example Response 1

No Our solution is entirely cloud-based and does not require any physical or virtual appliances to be installed in the institution's environment All system administration is performed by our team within our secure cloud infrastructure The institution only needs outbound HTTPS (port 443) access to our application, which is standard for accessing web applications No inbound firewall exceptions are required as our solution does not need to initiate connections to the institution's environment.

Example Response 2

Yes Our solution requires the institution to deploy a virtual appliance that serves as a data collector within their environment This collector securely aggregates log data and sends it to our cloud platform for analysis The virtual appliance requires minimal resources (4 CPU cores, 8GB RAM, 100GB storage) and only needs outbound HTTPS (port 443) access to our cloud service No inbound firewall exceptions are required as all communication is initiated from the virtual appliance to our cloud platform The virtual appliance receives automatic updates through this outbound connection and is hardened according to CIS benchmarks.

Example Response 3

Yes Our solution requires both a physical appliance for network monitoring and inbound firewall exceptions to allow our support team to remotely administer this appliance The physical appliance must be installed in the institution's data center and connected to their network For remote administration, we require SSH access (port 22) to the appliance from our support IP ranges (which we can provide) We understand this introduces additional security considerations, but remote access is necessary for us to provide 24/7 monitoring, troubleshooting, and updates To mitigate risks, we implement multi-factor authentication for all remote access, maintain detailed audit logs of all administrative actions, and can work with your team to establish a VPN connection rather than direct firewall exceptions if preferred.

Context

Tab: Case-Specific
Category: Required Questions